SAP pushes to patch risky HANA security flaws before hackers strike

FRANKFURT – Europe’s top software maker SAP said on Tuesday it had patched vulnerabilities in its latest HANA software that had a potentially high risk of giving hackers control over databases and business applications used to run big multinational firms. While hacks on phones, websites and computers that consumers rely on every day grab headlines, vulnerabilities in big business software are more lucrative to attackers as these tools store data and run transactions which are the lifeblood of businesses.

The latest security weaknesses, known in industry parlance as “zero day” vulnerabilities, rank among the most critical ever found in HANA, the engine that runs SAP’s latest database, cloud and other more traditional business apps, according to Onapsis, the security company which uncovered these issues.

SAP software acts as the corporate plumbing for many multinationals and the company claims 87 percent of the top 2,000 global companies as customers.

Onapsis said vulnerabilities lay in a HANA component known as “User Self Service” (USS) which would allow malicious insiders or remote attackers to fully compromise vulnerable systems, without so much as valid usernames and passwords.

It reported 10 HANA vulnerabilities to SAP less than 60 days ago, which the German software maker fixed in near-record time, according to interviews with executives of both companies.

The resulting patch issued by SAP on Tuesday was rated by it as 9.8 on a scale of 10, “very high” in terms of relative risk to its customers. SAP is releasing five HANA patches this week to fix a range of vulnerabilities uncovered in recent months.

“SAP has done a great job by releasing fixes much faster than in past situations,” Onapsis Chief Executive Mariano Nunez told Reuters in an interview.

Customers must in turn choose when to apply such patches to software that runs their most critical corporate functions, a process that may take months or years, in rare cases. They must balance security risks against operational demands.

SAP executives urged security managers working for its customers to patch relevant systems.

“There has not been one case where a customer who applied the recommended patches has been affected,” Siddhartha Rao, vice president of SAP Product Security Response, said of the six years he has been on the job. “We currently expect there will not be that many customers affected by these issues,” he said.

Last May, however, the U.S. Department of Homeland Security issued an alert advising SAP customers they needed to urgently plug holes for which SAP already had offered patches in 2010, but which some customers failed to adopt, leaving dozens exposed to hacker break-ins afterward.

Three dozen enterprises were found to have telltale signs of unauthorized access due to outdated or misconfigured SAP NetWeaver Java systems, Onapsis said at the time.

Onapsis helps secure more than 200 SAP customers ranging from Schlumberger to Sony Corp, Westinghouse and the U.S. Army. It also identifies security vulnerabilities for corporate customers in rival systems from Oracle.

Giving HANA customers breathing room, the USS component first offered by SAP in October 2014 is not activated by default, but must be specially enabled, Onapsis said.

It has identified two companies – an energy company and a retailer – where vulnerabilities were found and fixed. Companies which are not using USS features are unaffected, Onapsis said.

Technical details can be found on the security blogs of SAP (goo.gl/11Dz5w) and Onapsis (goo.gl/Xiryyp). There is no evidence hackers have taken advantage so far, the companies said.

Last year, the company issued more than 160 patches in all, SAP said. Ten percent of these were HANA related, Onapsis added. –Reuters